CVE-2025-68433

HIGH
Published Dec 17, 2025 Modified Feb 19, 2026 CWE-77

Description

Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Model Context Protocol (MCP) configurations from the `settings.json` file located within a project’s `.zed` subdirectory. A malicious MCP configuration can contain arbitrary shell commands that run on the host system with the privileges of the user running the IDE. This can be triggered automatically without any user interaction besides opening the project in the IDE. Version 0.218.2-pre fixes the issue by implementing worktree trust mechanism. As a workaround, users should carefully review the contents of project settings files (`./zed/settings.json`) before opening new projects in Zed.

Is your site exposed to CVE-2025-68433?

Run a free security scan — no signup, results in seconds.

CVSS v3.1 Score

7.7
HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Weakness Type (CWE)

CWE-77 CWE-77

Affected Products

Vendor Product
zed zed

References

Frequently Asked Questions

What is CVE-2025-68433? +
Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Model Context Protocol (MCP) configurations from the `settings.json` file located within a project’s `.zed` subdirectory. A malicious MCP configuration can contain arbitrary shell commands that run on the host system with the privileges of the user running the IDE. This can be triggered automatically without any user interaction besides opening the project in the IDE. Version 0.218.2-pre fixes the issue by implementing worktree trust mechanism. As a workaround, users should carefully review the contents of project settings files (`./zed/settings.json`) before opening new projects in Zed. It has a CVSS v3.1 base score of 7.7 (HIGH).
How severe is CVE-2025-68433? +
CVE-2025-68433 has a CVSS v3.1 score of 7.7 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.
What products are affected by CVE-2025-68433? +
CVE-2025-68433 affects products from zed, specifically: zed. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-68433? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-68433 — free, no signup required.